Re: Win2000 Impersonation weirdness? (or is it a conundrum?)

From: D. Cross [MS] (vaq130@hotmail.com)
Date: 07/20/02

• Next message: Karl: "Domain Policy"
• Previous message: Shmulik Attia: "OU's Q ?"
• In reply to: Colin Reinhardt: "Win2000 Impersonation weirdness? (or is it a conundrum?)"
• Next in thread: Colin Reinhardt: "Re: Win2000 Impersonation weirdness? (or is it a conundrum?)"
• Reply: Colin Reinhardt: "Re: Win2000 Impersonation weirdness? (or is it a conundrum?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "D. Cross [MS]" <vaq130@hotmail.com>
Date: Sat, 20 Jul 2002 10:21:36 -0700

Is the server joined to a domain? I believe you will require system
priveleges to impersonate in a domain.

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Colin Reinhardt" <colinrei@oz.net> wrote in message
news:#J8HQ64LCHA.2656@tkmsftngp13...
> On Win2K Server (SP1), it seems that I cannot successfully call
LogonUser( )
> if the process is
> running as a security context which does not already have the SE_TCB_NAME
> privilege
> (aka "Act as part of the operating system").  The privilege need not be
> enabled, just must be on the token...
>
> How then can I do the following:  I want to have a process which runs by
> default as an unprivileged account (for example, Inetinfo process).
> This process receives logon requests from users, and when they securely
> provide their account credentials, it impersonates them using a
potentially
> more privileged account (based on the credentials they provide) by making
a
> call to LogonUser and creating an impersonating thread...
>
> This scenario works "correctly" in XP Pro.  How can I make the same work
in
> Win2K Server?
>
> Please help!
>
> Colin Reinhardt
> software engineer
> colinr@transenda.com
>
>
>
>

---

• Next message: Karl: "Domain Policy"
• Previous message: Shmulik Attia: "OU's Q ?"
• In reply to: Colin Reinhardt: "Win2000 Impersonation weirdness? (or is it a conundrum?)"
• Next in thread: Colin Reinhardt: "Re: Win2000 Impersonation weirdness? (or is it a conundrum?)"
• Reply: Colin Reinhardt: "Re: Win2000 Impersonation weirdness? (or is it a conundrum?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Sql Reporting Serviced - > ASP.NET ACCESS DENIED! ... The account you are logging in to when on the server doesn't have the ... do you have <Impersonate> set to True? ... > Exception Details: System.UnauthorizedAccessException: Access to the path ... (microsoft.public.dotnet.framework.aspnet.security) Re: Kerberos protocol transition is not working over DCOM ... can see the COM+ component's constructor being called on the server side. ... I haven't yet tried with a normal account. ... The account calling LsaLogonUser is service1 and it has the above six ... user1 is the account I'm trying to impersonate. ... (microsoft.public.platformsdk.security) Re: security on the web.config file ... the reason I use the impersonate is the web site will allow ... different network shares on multiple servers so the impersonated account has ... the .config file can only we accessed from the server ... (microsoft.public.dotnet.framework.aspnet) ASP and LogonUser ... because LocalSystem has that privilege. ... RevertToSelf doesn't work because by default, the IWAM account doesn't ... since even out-of-process apps impersonate the IUSR ... IWAM privilege get the impersonation token for IUSR? ... (microsoft.public.inetserver.iis.security) Re: Global.asax not allowing identity impersonation? ... When you set Identity Impersonate=true, ... request processing. ... Not allowed to use the ASPNET machine account in SQL Server (very ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)